Posted on 04-11-2018 05:12 AM
We're getting ready to implement JAMF Pro later this month. (I've used AirWatch the past few years.) I've got a best practices question regarding enabling/disabling pairing in the DEP profile. Basic question is, do you allow it or no? Currently we allow it for staff assigned iPhones but disallow it on iPads across the board.
Context here is we previously had a lot of 1:1 devices that went home with students, so I had pairing disabled to try to mitigate jailbreaking attempts and general tomfoolery that students sometimes get into ("I synced my iPad at home and lost all my school apps/data"). Restricting it was never a showstopper but once in a while we need to pair with iTunes to get files off the device or load files into a specific app (example, one special needs app would only load files via itunes. Couldn't get it to use airdrop or other methods). Now we mainly are using cart devices and have some 1:1 staff iPads with very few going home with students. I feel like jailbreaking is less of an issue the past couple years but maybe I'm out of the loop. I'm thinking that relaxing this security setting on iPads for user convenience would not be too disastrous. I'm wondering what you chose to do?
Ideally we'd just disable pairing across the board and enable it on a case by case basis but as I understand it since this setting is managed at the DEP profile level it requires a full reset and reenroll to change it. By the time the need to pair a device arises it's too late to change the setting. I had hopes that having a matching Configurator 2 supervision identity would allow "pairing restricted" iPads to pair with our tech staff's configurator stations for troubleshooting, passcode clearing, etc but haven't been able to get that to work consistently.
Thanks in advance!
Posted on 04-11-2018 06:37 AM
We have pairing enabled for both our 1:1 and shared environments in our school district for the reasons you mentioned. There are too many times where we need to connect an iPad to iTunes or Apple Configurator 2 for us to have pairing disabled.
Posted on 04-11-2018 02:19 PM
We currently have pairing allowed in the prestage enrollment and then restricted with a configuration profile. In that way we don't have to wipe and re-enroll if we need to allow it for troubleshooting, etc. But usually we want to allow it because it has lost communication with the MDM or there is some other issue with it, at which point removing the profile is impossible and we are stuck. This has been an ongoing issue for us and has required that we DFU restore devices without ever being able to get to the root cause of an issue - though it's a handy way for Apple and jamf to get out of doing extra work. We have labored under the pretense that having it wide open would be more of a risk; however, in speaking with some IT colleagues and an SE from Apple yesterday, there was a consensus that this used to be more of a problem but isn't too big of a deal anymore.
The only thing stopping me from pulling it back right now is the device association limit. Apple says "You can have ten devices (no more than five of them computers) associated with your Apple ID and iTunes at one time...You can remove an associated device if you reach your limit of associations and want to add a new one, you can't download past purchases from the iTunes Store, or you want to sell or give away an associated device." If you wipe a device while the user is still signed in to iCloud, even if it is a MAID, that device is still associated with you until you remove it in iCloud on another device. So if we wipe 12th grade devices and hand them off to 5th grade for the following year, will there be limitations on those devices because we allowed the previous student to pair, and they chose to assiociate the max number of devices? At that point they're gone and we can't sign in as them to remove those devices, so are we stuck? If I could get an answer that this would not be a problem then I would be ready to allow pairing starting immediately.
Posted on 04-13-2018 07:03 AM
I spoke with a senior advisor at Apple about this and he recommended that we continue to restrict pairing. Jailbreak isn't as much of a concern anymore with the newer chips, but the device association issue I mentioned above could be a problem. We will continue to do what we're doing unless someone can convince me otherwise :)